DET0765 Detection of Service Stop

Technique Detected: T0881 (Service Stop)

Analytics

ICS

AN1897

Monitor for changes made to files that may stop or disable services on a system to render those services unavailable to legitimate users. Monitor executed commands and arguments that may stop or disable services on a system to render those services unavailable to legitimate users. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting. For added context on adversary procedures and background see Service Stop. Monitor processes and command-line arguments to see if critical processes are terminated or stop running. For added context on adversary procedures and background see Service Stop. Alterations to the service binary path or the service startup type changed to disabled may be suspicious. Monitor for changes made to Windows registry keys and/or values that may stop or disable services on a system to render those services unavailable to legitimate users. Monitor for newly executed processes that may stop or disable services on a system to render those services unavailable to legitimate users.

Log Sources

Mutable Elements